3C-INT logo [Cyber]Crime Characterization for Intelligence FREE PREVIEW
You are exploring the Free preview. To unlock full read-only access to all public profiles and in-app notifications, create a free research account. For analyst / premium plans capabilities (editing, advanced tabs, exports), please contact us

Threat Actor Characterization

Back
You’re viewing the read-only version. Sign in for analyst tools (editors, promote draft, file/relations management, etc.)
BQTScanner

BQTScanner

ID: daa2f2eca3d71232dcb50eca4d550f7182653
Crimeware Exploit Kit
Threat types: Intrusion
Iran
Updated: 2026-04-15
Created: 2026-01-26
Progress: 66% Completeness: 52% Freshness: 100%
Operation zone:
Aliases Limited alias preview
BQT Scanner BQT Vuln Scanner
Actor Network Graph
Open Network Graph
Read-only preview for anonymous visitors. Sign in with a free Research account for full workspace.
MITRE ATT&CK®
confidence: medium-high
Actor Techniques page ATT&CK® Diagram

BQTScanner (also branded BAQIYATSCANNER / BQTscanner – Professional) is a GUI-based web vulnerability scanner and exploit harness associated with Liwaa Muhammad / ZeroDayX1, the operator behind BaqiyatLock (BQTLock) ransomware. The tool combines automated active scanning (SQLi, XSS, LFI/RFI, command injection, SSRF, IDOR, arbitrary file upload, XXE, deserialization, CORS and header issues, outdated tech) with an integrated exploit panel, terminal console, and PDF/TXT report generation. It is marketed as an offline, Monero-paid subscription product for red teams and "hackers," and is likely used within the broader BQT ecosystem to identify and weaponize weaknesses in web applications before deploying BQTLock or conducting defacements. Ref: Telegram/Telemetr advert for BAQIYATSCANNER (BQTscanner – Professional) and associated ZeroDayX1 channels.


Technique Technique name Tactics Evidence
T1595.002 Vulnerability Scanning TA0043
  • 2025-07 (approx.) — Active Scanning: Vulnerability Scanning – BQTscanner is explicitly advertised as a professional web vulnerability scanner performing automated checks for SQL Injection, Cross-Site Scripting (reflected and DOM), Local/Remote File Inclusion, command injection, directory traversal, SSRF (including cloud metadata), arbitrary file upload, IDOR, XXE, CORS misconfiguration, missing/weak security headers, information disclosure (.env/config/logs), and outdated server technologies; results are logged in real time and summarized with confidence scores in a Scan Report view. · ref
T1592.002 Software TA0043
  • 2025-07 (approx.) — Gather Victim Host Information: Software – The BQTscanner feature list includes automated detection of outdated server technologies and missing/weak security headers, implying enumeration of web server software, versions, and configuration details as part of its scanning pipeline. · ref
T1590.001 Domain Properties TA0043
  • 2025-07 (approx.) — Gather Victim Network Information: Domain Properties – BQTscanner advertises subdomain takeover checks via passive fingerprinting and supports target lists loaded from files plus web crawling from a starting URL, indicating that it maps victim domains, subdomains, and application paths as part of reconnaissance. · ref
T1190 Exploit Public-Facing Application TA0001
  • 2025-07 (approx.) — Exploit Public-Facing Application – BQTscanner includes a built-in Exploit Panel that lets the operator select a detected vulnerability (e.g., SQLi, XSS, insecure deserialization, command injection, file upload), customize HTTP methods, headers and body/payload, and fire exploit requests directly against URLs discovered during scanning. This workflow is designed to move from vulnerability identification to active exploitation of public-facing web applications. · ref
T1587.001 Malware TA0042
  • 2025-07 (approx.) — Develop Capabilities: Malware/Offensive Tooling – The BAQIYATSCANNER (BQTscanner – Professional) announcement describes it as a hacker-built, PyQt-based, offline GUI offensive security tool with integrated exploit panel, terminal console, and professional reporting, sold via Monero subscriptions through ZeroDayX1’s Telegram channels. This indicates that the Liwaa Muhammad / ZeroDayX1 cluster is developing and maintaining its own bespoke offensive scanning capability rather than relying solely on commodity scanners. · ref
Strategic Intelligence
Limited preview
Last updated: 2026-01-26T23:44:35+00:00

BQTScanner (Liwaa Muhammad / ZeroDayX1) — Preliminary Intelligence

Classification: TLP:WHITE – Tooling profile

Author: iQBlack Team



Executive Summary

BQTScanner (branded in the UI as “BQTScanner Liwaa Mohammad – The Ultimate Vulnerability Scanner”) is a GUI-based web vulnerability scanner and exploitation harness associated with the same operator behind BaqiyatLock/BQTLock (ZeroDayX1 / Liwaa Muhammad, plausibly Karim Fayad from Lebanon).


From the screenshots and ecosystem context it is best understood as:

Full strategic intelligence is available in Analyst and Premium plans.
Executive Analyst Brief for CISO
Empty Limited preview
No content yet.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Executive brief now
Saved successfully.
Hunting Playbook
Empty Limited preview
No content yet.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Hunting Playbook now
Saved successfully.
IOC Appendix
Empty Limited preview
No content yet.
IOC Appendix now
Saved successfully.
OSINT Library
Empty Limited preview
No content yet.
OSINT Library now
Saved successfully.
Social Medial & Communication
SOCMINT integrated: 0/1
Address Verification SOCMINT
t.me/BQT******* Restricted Not integrated
Notes: preview mode hides sensitive social/contact details.
Reference Images/Associated Evidence Limited
Showing 1–3 of 3 images
Propaganda Free Preview
Propaganda
Propaganda Free Preview
Propaganda
Logo Free Preview
Logo